If you’re currently using Internet Explorer, please be aware that Microsoft has issued a warning about a current security flaw in all versions that is currently affecting around 2 Million users.

According to PC World Magazine, “So far most of the attacks have been geographically centered on China and have been used for the purposes of stealing computer game passwords. But with a flaw as gap-toothed as this, the possibilities of nefarious action could include the massive theft of personal information such as administrative computer passwords and financial data.”

Although workarounds are available, Microsoft has suggested using an alternate browser, such as Firefox, in the meantime. For certain government systems, which are still required to use Internet Explorer, workarounds are available. Your IT/IMO staff should have more information.

Please see http://www.washingtonpost.com/wp-dyn/content/article/2008/12/16/AR2008121601022.html for more information.

Tags: Internet, Microsoft, Security Warning

With Thanksgiving right around the corner, it makes me think of my family when I was coming up. We’d spend all day cooking the turkey, and the yams with those tiny marshmallows, and then we’d all sit around the table and watch George C. Scott in Patton.

No, not really. But it was a convenient way to segue into an incident that was briefly covered in the movie, but required a great deal of complexity in order to be successful, and an excellent example of OPSEC (and strategic misinformation!) in action.

If you’ve seen the movie, you’re familiar with the “slapping incident” of 1943, in which General Patton slapped a Soldier by the name of Charles Kuhl who was weeping in the infirmary. (For history buffs, it turned out that Kuhl had malaria at the time. Dispite the incident, however, he later recounted Patton as a “Great General”)

When the stateside public and press learned of the incident, President Eisenhower was pressured to send Patton home in disgrace. However, Eisenhower and George Marshall came up with an alternate plan.

Patton was removed from any major command, but kept in theater. The German High Command was familiar with (and some say afraid of) Patton, so his location was closely watched for any sign of impending attack. As such, his extended stay in Sicily was seen as clear indicator of an upcoming invasion through France. At a later time, his visit to Cairo caused additional resources to be misdirected towards repelling an attack from the Balkans.

.

In the months before the 1944 Normandy Invasion, Allied forces launched “Operation Fortitude”, which was a major military disinformation campaign that involved controlled leaks of information, fake (even inflatable!) military equipment, message traffic and double agents. Perhaps most effective, however, was Patton’s public leadership of the (non-existent) First US Army Group (FUSAG).

A culmination of this effort, and a memorable event for all involved, was when Patton shouted across a crowded reception hall to Eisenhower, “I’ll see you in Calais!”, which surely upset those that weren’t in on the ruse.

The efforts were highly successful and turned the tide of the war. The German Army had everything that they needed, and the Allies appeared to be practicing very poor OPSEC. This story applies today. Remember that when something seems “too perfect” or “obvious”… It just might be intentional.

…And now you know… The rest of the story.

Tags: case study, patton, WWII

The Information Age and OPSEC

By Victor Duckarmenn

In 1941, we had our first real computer called the Z-3.  By 1971, we had E-mail, in 1989, the world- wide -web, (WWW) and wireless devices by the year 2000. Additional wonders of technology increase every decade. What are the consequences of all this “progress” and technological change?  Did personal or mission related information become more secure?  Did space operations Essential Elements of Friendly Information (EEFI) become more or less important or just disappear in the advent of our space business?  I am afraid our technical information, space mission secrets, our personal and space system data are all under attack every moment of the day.  What information do you need to protect?  Let’s look at critical information and its nature.

The nature of critical information is defined in one word “vulnerable”.  With advancing technology we find ourselves bracing for insider and hacker-cracker attacks, our systems are open to increased access via commercial Off -The -Shelf (COT) purchases without the need identified to protect our internal information.  Identity theft activity is on the rise. The crime of 21^st century will obviously be the theft of personal information.  Data-mining, war-driving, and the lack of attention to our privacy and 1972 Privacy Act, has become the “white noise” behind our wireless vulnerabilities.  Consider if you will, the tempo of information flow today.  There is so much information available on the “net” or “grid” it scares Information Assurance (IA), Operations Security (OPSEC), computer security (COMPUSEC) and Info-Security (INFOSEC) subject matter experts (SME) to death.  What are the “points of information contact” we need to watch for?  What are the four OPSEC arenas in the information protection battle?  They are the physical, administrative, action and technical. In 1941 we began the information age and the  “Info-war”.  What can you, the information warrior do? Let’s look at generic measures in the four OPSEC arenas.

In order to combat the physical issues in protecting space operations information it is very simple, lock up mission sensitive, controlled unclassified, “For Official Use Only” (FOUO) and Privacy Act information.  Implement double locks where possible to eliminate corporate and individual liabilities. The lack of consequences for our failures in the past for violations of the Privacy Act, or leaving mission critical controlled unclassified in the trash caused the death of this very simple measure.  Apathy and complacency is your adversary’s tools in the information war. I call them the “gruesome two-some”. What about administration?

Don’t leave your private information, recall rosters or sensitive data out in the open, on your desk or transmit it into the airwaves for all to receive.  Administration has many natural controls to include 100% cross cut shredding, both and home and at work, the sanitization of the voice mail and out of office replies.  Just a simple clean desk policy without posting retirement orders or system information could win the OPSEC “info-war”.  What about actions?

Conversations are a form of action. Stopping off base conversations about the mission failure or success, which can also be electronic, or talking out loud where local people do not have a “need to know” can be key to the denial of information to your intelligence enemies.  What about the technical area?

One recommendation is to ensure success in the technical arena is to simply restrict your wireless usage during government business. Use a landline to discuss command and control information.  A cell phone or personal assistant device (PAD) is like lighting up a cave with a halogen flashlight – the bats know you’re in the cave!  It is important not to lose a cell phone or government thumb drive that is filled with critical information.  So what?

The information age is still growing and the value of protecting our space operations information is more “value added” everyday.  Protect your wingman’s personal information.  Protect your missions’ operation information. Your personal OPSEC has come of age; the information age!

Tags: playstation, video games, xbox

The Oregon Newspaper “The Oregonian” reported the following on August 19, 2008:

Two men made off with hundreds of dollars in cash by dressing as security guards, standing outside a bank’s night deposit slot and persuading people to hand over their money because the slot was broken.

The men offered to make the deposits for customers at the Washington Square branch of Wells Fargo Bank the next day when the bank reopened, said Jim Wolf, a Tigard Police Department spokesman.

“Wells Fargo had absolutely no idea who these men were,” Wolf said.

He said the men wore uniforms and had badges and guns. The night deposit slot was covered by a blue engraved sign saying it was out of order.

The men offered to collect the deposits by putting them in a black box they had, Wolf said. The deposits came from businesses that normally use the slot to deposit the day’s receipts from their tills.

Two people who gave deposits to the men said the sign over the slot read “Out of Service.”

These men had many factors in their favor. Generally, people trust those that appear to have authority. Also, many people consider it “rude” to question someone who’s “just doing their job”, and many people have very low standards for correlation; in this case, the sign said the deposit box was out of order, and there was a guard nearby- “it must be true!”

The same threats exist against your organization. A “Social Engineer” will rely on those same assumptions, and several more, when attempting to infiltrate or obtain information to which they wouldn’t normally have access. Remember that enforcing security isn’t “rude”, and following proper procedures isn’t being “paranoid”!

Tags: social engineering

When you think of the term “OPSEC Superstar”, there are probably a few specific individuals that stand out in your mind. Some of them may be humorous characters, while others might be quietly toiling away to keep their organizations safe.

You, too, can be an OPSEC superstar.

First, you need to know the material. When you hit that red carpet at OPSEC events, you’ll encounter some tough questions. And given the nature of OPSEC, most of the questions will rely on your opinion and experience, rather than facts and figures. For instance, an employee isn’t likely to come up to you asking, “Say, what’s the fourth step in the OPSEC Process?”, but you will most likely hear, “Is it ok to publish this?” more than once. Understanding not only the “concepts” of OPSEC, but also the “philosophies” of OPSEC will allow you to give an informed and relevant reply. Failing to understand the material will destroy your credibility.

You also need to know yourself. Know your teaching style or styles of communication. If you’re not a comedian, don’t rely on the jokes. If you’re a gifted artist, skip the built-in clipart in favor of custom art. Everyone has some sort of talent. The important part is to figure out how you can use yours in your OPSEC program.

To be a true OPSEC superstar, you need to be visible. This works on two different levels. You need to be visible (most importantly) within your organization as you deliver presentations, reminders, and generally make yourself available for questions and issues. The OPSEC Officer/Manager/Professional is a critical part of any organization, and successful ones utilize them heavily. You need also to be visible within the OPSEC community as a whole. This is not to suggest shameless self promotion, but networking, advocacy and mentorship. In a small, close-knit community like the OPSEC community, each is extremely important and highly attainable.

Equally important is to know your audience. OPSEC Awareness campaigns and material need to be tailored to the particular level of the addressees, including technical level and responsibilities. It makes no sense to overwhelm a delivery driver with the full weight of a CIL generation briefing, OPSEC history, etc. Focus on the most important OPSEC aspects for their job or areas of responsibilities, and build on that. That’s not to say that you have to maintain dozens of OPSEC orientation briefings, but you do need to focus on the “most important” areas for each group whenever possible.

Know OPSEC, know yourself, be active in the OPSEC community and know your audience. Meet each of those criteria, and you’re on your way to OPSEC fame and fortune.

Tags: OPSEC, opsec program

Awareness campaigns are one of the most important tools in the OPSEC Professional’s Arsenal. Ranging from an Army OPSEC Training Program to local Schools or community centers, the OPSEC Awareness program is an opportunity for creativity and employee involvement.

The following list provides ideas for elements of an OPSEC Awareness Program, assuming management support:

Use the company newsletter

Placing regular articles in the company newsletter, such as short, attention getting mini-articles in a box are sure to grab the attention of readers. If you have an artist on hand, you can create a regular cartoon strip.

Naming and honoring the ‘OPSEC Employee of the Month (Quarter, Year, etc)’

The recognition, such as a plaque or a posted picture, would be a motivating factor, especially if you could get management support for some sort of reward.

Posting OPSEC Awareness posters

Mounting eye-catching, relevant reminders in common areas help to get the message out. Rotate the posters frequently for maximum effect.

Use of the employee bulletin board

Short reminders and tips should be rotated frequently.

Mailing inserts with paychecks

The paycheck is one piece of mail that’s always opened. Chances are that any inserts are read, or at least glanced at.

Sending E-mail reminders

Depending on management support, the OPSEC Manager or Officer may be able to send periodic reminders to a distribution list.

Use of security-related screen savers

It’s possible to control screen savers via centralized management, especially in a large organization. Your IT department may be able to help you implement and rotate OPSEC screen savers, such as the one on the OSPA website.

A catchy character

NNSA/NSO has the ‘Revelator’ and the ‘Security Health Professional’, and there’s always the Dice-Man. Don’t be afraid to do something that would stand out. If you stand out, so will your message.

Stickers

Reminder stickers can be affixed to telephones (‘Is your caller who he says he is?’), trash cans (‘Should that be shredded?’), shredders (‘shredder full? Another shredder is located at…’), etc.

Computer login banners

Banners can show an OPSEC reminder prior to logging in, and can be rotated as needed. The shorter the message, the more likely that it will be read. Note: This may not be possible in environments, such as DoD systems, which require a specific banner.

Performance reports and annual reviews

Consider adding OPSEC Awareness as an item on performance reports and annual reviews, as specific to your organization.

Professional membership

Offer employees membership in an OPSEC professional organization, such as OSPA (http://www.opsecprofessionals.org) or OPS (http://www.opsecsociety.org)

Electronic display

Electronic message boards can be used in the cafeteria or common areas and display security reminders, tips or notices.

Fliers or brochures

Fliers or brochures can be made available in conference rooms, break rooms, even rest rooms. Whatever gets the message out.

Gimmicks

People love gimmicks. Consider OPSEC Messages in fortune cookies, keychains, toys, etc. Try to use items that will be used frequently and kept, such as pens or mousepads.

Now, a million OPSEC-points to anyone that’s done all of them.

Tags: awareness, tips

Famed Chef Julia Child was a spy.

Directly from her own words:
http://www.foxnews.com/story/0,2933,403443,00.html

According to the article, Ms. Child ’served in an international spy 
ring managed by the Office of Strategic Services, an early version of 
the CIA created in World War II by President Franklin Roosevelt‘, a 
group which professors, arctors, reporters, atheletes, etc, and 
’studied military plans, created propaganda, infiltrated enemy ranks 
and stirred resistance among foreign troops’.

In other words, the delighful, older lady puttering around the kitchen 
in all of our memories was also serving her Country with 24,000 other 
people just as innoculous as she was.

Why her? Because she didn’t LOOK like a spy. She didn’t fit the 
stereotype. In reality, the person that ‘looks’ like a spy would be 
the least effective- they would stand out. It’s the ones that fit in, 
the ones that have reasonable business in the area, and the ones that 
are likable that are the most effective for gathering information or 
other clandestine activities. In other words, your adversary could be 
the utility man that’s trying to get your building checked so he can 
go home for his kid’s birthday, or maybe the elderly couple that 
walked in the door, or… maybe your own employee.

Does that call for ‘ourging’ of your workforce and shuttering of the 
windows? Generally, no. But it is clear that the OPSEC Professional 
needs to be prudent, and needs to treat EVERYONE with the same level 
of professionalism and with a security focus, because you just don’t 
know, and you just can’t assume.

But all the same… Watch what you say in restaurants.

Tags: history, news

They say that the devil’s in the details. It’s really amazing at how a
small change can really set off alarm bells in our heads.

For instance, would you read a book called “The Princess and the Pee”?
Not if you’re used to the original “The Princess and the PEA”. What if
Shakespeare had written “That which we call a daffodil By any other name
would smell as sweet”?

Relatively small changes seem to stand out, if you know what you expect
to find. It’s important to remember that your adversary can see just as
clearly as you can. Remember that deviating from a set pattern can give
an important indication of future actions.

For example, if your company always has an armored car deliver funds
daily at a certain time, but suddenly they come twice in a day, that
could indicate increased financial transactions. If the number of
soldiers manning a guard tower suddenly increases, that could indicate
an increased security level. If the owner of the company never comes in
during the night, but suddenly does on a particular day, something may
just be amiss.

See the pattern there? So can they.  Remember, sometimes you may want to
use your own patterns against a watching enemy.

In the real world, things change and situations arise. You don’t need to
lose the competitive or tactical advantage just to avoid deviations from
a normal pattern. But be aware that any significant changes, if
observed, will be evaluated and matched with other known indicators to
try and “figger out” what you’re doing.

Tags: changes, deviations, indicators

I have been in contact recently with the owner of the blog UpstartAgent.com, a real estate blog. Michelle, the owner, had some excellent questions about OPSEC and how it could relate to real estate agents.
It was an interesting and enjoyable conversation, but I was most encouraged that she “got it”. She got that it’s impossible to find a profession, role, or even a hobby that couldn’t benefit from OPSEC. Living proof that more people out there are “getting it”!

Tags: opsec at home, real estate